1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention is directed to authentication methods within computer systems.
2. Description of Related Art
E-commerce web sites and web applications perform transactions over computer networks on behalf of users. A user must often pass through an authentication procedure in order to prove the user's identity to an appropriate level of certainty for security purposes. In an e-commerce web-based environment, computer systems often implement authentication services as a form of front door or sentry gate for accessing a web site. These authentication services sit in front of applications, i.e. between the user and the applications, to ensure that the user is authenticated before obtaining access to any resources. These authentication services may be implemented as a web server plug-in, a reverse proxy, or other similar technology.
Enterprises generally desire to provide authorized users with secure access to protected resources in a user-friendly manner throughout a variety of networks, including the Internet. Although providing secure authentication mechanisms reduces the risks of unauthorized access to protected resources, those authentication  mechanisms may become barriers to accessing protected resources. Users generally desire the ability to change from interacting with one application to another application without regard to authentication barriers that protect each particular system supporting those applications.
As users get more sophisticated, they expect that computer systems coordinate their actions so that burdens on the user are reduced. These types of expectations also apply to authentication processes. A user might assume that once he or she has been authenticated by some computer system, the authentication should be valid throughout the user's working session, or at least for a particular period of time, without regard to the various computer architecture boundaries that are almost invisible to the user. Enterprises generally try to fulfill these expectations in the operational characteristics of their deployed systems, not only to placate users but also to increase user efficiency, whether the user efficiency is related to employee productivity or customer satisfaction.
Many computer systems have different types of authentication for different levels of security. For example, after a successful completion of a first level of authentication in which a correct username and password combination is provided by a user, a system may provide access to a particular set of resources on a web site. A second level of authentication might require a user to present a hardware token, e.g., a smartcard, after which the user is provided access to more tightly controlled resources on the web site. A third level of authentication might require the user to provide some form of biometric data, e.g., through a fingerprint scan or a retina scan, after which the system provides access to very sensitive or confidential resources on a web site. The process of moving  up from one authentication level to the next level is termed “step-up authentication” or “forced re-authentication”. In other words, the user steps from one level of authentication up to a higher level as required by a system in order to gain access to more sensitive resources.
Authentication can be accomplished with known authentication methods, but support for multiple custom methods is not easily accomplished. Authentication methods within typical reverse proxies are often limited to out-of-the-box supported methods, e.g., mutually authenticated SSL (Secure Sockets Layer), or various custom methods. Adding support for a new authentication method is not a simple process as a new authentication method is typically internalized within a server. Even within those systems that have support for adding new authentication methods by external applications, the support is limited in that it is possible to create a session for a user based on externalized authentication information but not possible to update a user's current session credentials, e.g., to reflect completion of another authentication operation.
To work around this limitation, current solutions cancel a user's current session and establish a new session with the new authentication method included in the new session information and credential information. A system can attempt to establish a new session in a manner that is invisible to the user, thereby reducing the burden on the user of awareness of the new session when such awareness is not required of the user. However, a problem remains in that state information is generally lost to some degree from the user's original session; in other words, downstream applications or protected resources may have some unforeseen problem with respect to the change from the old session to the new session. 
Therefore, it would be advantageous to have a method and a system that can extend authentication methods to externalized applications that can update a user's credentials without requiring the establishment of a new session for the user, thereby obtaining a higher level of security that is required by an authentication service or by a protected resource for some purpose. 